Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 51DDCC0001 for ; Wed, 3 Mar 2021 02:35:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 21BC883883 for ; Wed, 3 Mar 2021 02:35:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -0.505 X-Spam-Level: X-Spam-Status: No, score=-0.505 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URI_DOTEDU=0.001] autolearn=no autolearn_force=no Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3RcTdz-wHtx for ; Wed, 3 Mar 2021 02:35:24 +0000 (UTC) X-Greylist: delayed 03:29:37 by SQLgrey-1.8.0 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) by smtp1.osuosl.org (Postfix) with ESMTPS id EDC1B83843 for ; Wed, 3 Mar 2021 02:35:23 +0000 (UTC) Received: by mail-wm1-x332.google.com with SMTP id o2so4176688wme.5 for ; Tue, 02 Mar 2021 18:35:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=eo+yrz21z/F5J2XjUHFnxAGSgSGsPspjPifScFPRds0=; b=jILFRzmjeQ8p8ljisRGUMxQThRFA79j7Zd+bHwyV95IYX4xGgUyYdV4Qp4K8Z+Zjju XTHDtzFtMzsXeQjkc8wJOpdUF1BuM8VeupE24Efq1sfubTb4rjUoA/Fhjtw//rkoinRv wv1af0WttWLK4oZqTnA+AJUR1oP3elD3jaWholnqshrg/wzenYVGMdlAHUOAljLyqk75 gq+/VAYCNChcpM4Kv90PLLwGcCSrqL27ShzTupkaQBoILDoJnP0nu21JifWgwFc4YzfT p3bIbAnYe9aq43baZIH9Pje0PsSLbErDe18GQiyjjVb6RQw7e4XA+zuhC+Sr7e1908Fk GOJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=eo+yrz21z/F5J2XjUHFnxAGSgSGsPspjPifScFPRds0=; b=DC0QQT8nCYVWL1UMYMLMEh81P4EQG8boxyUgXvmXCITj2zaQk2UReDPhVrzNsQ0WzG WuJgpRXTHQ+cHlmDUimjVoFErJOBiyMzGkD4GSlK8b6rO5weoAYdpxe8QAwv4NGdBwiB SIaAskfFKn8ayFGs30INCV3X6lTyJ/4Pa8R2PtPwTQJh2Y1bSB80yEQqxSkKaPbde1YF A2VxMzRgf0iKDukN7ghY01Td3pC/uOUgOk7s/A0whdNJsCmnklUPNZEfoicu4Dye7QkI p+FBHOwieQ74KoQH33q1muxAtkDncBdhgPUoGbkiksPnoFtKSEPvAklfRRzwJ5TfBge7 3INw== X-Gm-Message-State: AOAM533b1WlSdudYrC41F5XnP04lACi8r6z3ynG2HEBxk8jxdJIDxwWn PEN4UVEaJJu9b+Olv9DIkMGjH00K+faNw/GsYc4XRgfjmRM= X-Google-Smtp-Source: ABdhPJxwPRFxRKWLdki38aLjbxTmHyglSax/G8aUwM7pcfItHSkciq0WGKXzjyPBN8ciuSoCk4vly5iPTCGA69jXxuM= X-Received: by 2002:a05:600c:22d1:: with SMTP id 17mr6080227wmg.168.1614724946778; Tue, 02 Mar 2021 14:42:26 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Antoine Riard Date: Tue, 2 Mar 2021 17:42:14 -0500 Message-ID: To: John Newbery , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000dcdff005bc9572c6" X-Mailman-Approved-At: Wed, 03 Mar 2021 10:02:05 +0000 Subject: Re: [bitcoin-dev] Proposal for new "disabletx" p2p message X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Mar 2021 02:35:28 -0000 --000000000000dcdff005bc9572c6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > I believe this is what BIP 60 does, or did you have something else in > mind? Right, it achieves the first goal of dissociating `fRelay` from BIP37 but it doesn't document Core specific behavior of disconnecting peers for raw TX messages reception from outbound block-relay-only peers, as implemented by PR 15759. I think BIP 60 is as much unclear as BIP37 "Whether the remote peer should announce relayed transactions or not, see BIP 0037, since version >=3D 70001". A fir= st interpretation could be that all tx-relay messages are disabled. A second interpretation could be that only _tx-announcement_ messages (e.g INV(TX)) are disabled. It could be argued that #15759 introduced incompatible changes between a Bitcon Core 0.19.0 node and a BIP37 compliant peer on the p2p network. Post-15759, the message space allowed to a BIP37 peer has been reduced...Note that BIP60 isn't listed as implemented in bitcoin/doc/bips.md. I believe that BIP338 has the merit of making those subjects clear and easy to follow by any Bitcoin software. Instead of spawning discussion around old, lightclient-related BIPs or Core undocumented disabling transaction relay mechanism being de facto part of the p2p protocol. > Sorry - I meant that Bitcoin Core should allow a certain number of > inbound peers that do not relay txs. This would be in addition to the > full-relay inbound peers. Yes, I agree on the purpose. But I don't think we need to "allow" further disabled-tx peers by our inbound connection selection or eviction logics. Turning a few bits in a protocol message sounds a too-cheap burden on potential attackers contrary to most of our current eviction heuristics, forcing some work ("announce transaction fast, "be located in some subnet", "announce block fast"). Though better to discuss this later, not the main point of your proposal. Antoine Le mar. 2 mars 2021 =C3=A0 07:22, John Newbery via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit : > Antoine, > > Nothing in my proposal below precludes introducing a more comprehensive > feature negotiation mechanism at some later date. The only changes I'm > proposing are to Bitcoin Core's policy for how it treats its peer > connections. > > > If we don't want to introduce a new message and > > corresponding code changes, it would be wise at least to extract > VERSION's > > `fRelay` and how Core handles it in its own BIP. > > I believe this is what BIP 60 does, or did you have something else in > mind? > > > Explicit addr-relay negotiation will offer more > > flexibility > > I agree! > > > (and more hygienic code paths rather than triggering data > > structures initialization in few different locations). > > Not sure what you mean by hygienic here. This seems like a code style > preference. > > > Given inbound connections might be attacker-controlled and tx-relay > opt-out > > signaling is also attacker-controlled, wouldn't this give a bias toward > an > > attacker in occupying our inbound slots ? Compared to honest inbound > peers, > > which in average are going to be full-relay. > > Sorry - I meant that Bitcoin Core should allow a certain number of > inbound peers that do not relay txs. This would be in addition to the > full-relay inbound peers. > > John > > On Mon, Mar 1, 2021 at 11:11 PM Antoine Riard > wrote: > >> Hi John, >> >> > I think a good counter-argument against simply using `fRelay` for this >> > purpose is that we shouldn't reuse a protocol feature designed for one >> > function to achieve a totally different aim. However, we know that nod= es >> > on the network have been using `fRelay` to disable transaction relay >> > since Bitcoin Core version 0.12 (when `-blocksonly` was added), and th= at >> > usage was expanded to _all_ nodes running Bitcoin Core version 0.19 or >> > later (when block-relay-only connections were introduced), so using >> > `fRelay` to disable transaction relay is now de facto part of the p2p >> > protocol. >> >> >> I don't think this is good practice ecosystem-wise. To understand >> tx-relay opt-out from peers correctly, a _non_ Bitcoin Core client has t= o >> implement the `fRelay` subset of BIP37, but ignore the wider part around >> FILTER* messages. Or implement those messages, only to disconnect peers >> sending them, thus following BIP111 requirements. >> >> Thus, future developers of bitcoin software have the choice between >> implementing a standard in a non-compliant way or implementing p2p messa= ges >> for a light client protocol in a way of deprecation ? Even further, an >> interpretation of BIP 37 ("Being able to opt-out of _inv_ messages until >> the filter is set prevents a client being flooded with traffic in the br= ief >> window of time") would make it okay to send TX messages to your inbound >> block-relay-only peers. And that your client shouldn't be disconnected f= or >> such behavior. >> >> On the long-term, IMHO, better to have a well-defined standard with a >> clean negotiation mechanism rather than relying on code specifics of a >> given Bitcoin client. If we don't want to introduce a new message and >> corresponding code changes, it would be wise at least to extract VERSION= 's >> `fRelay` and how Core handles it in its own BIP. >> >> > I think a better approach would be for Bitcoin Core to only relay addr >> > records to an inbound peer if it has previously received an `addr` or >> > `addrv2` message from that peer, since that indicates definitively tha= t >> > the peer actively gossips `addr` records. This approach was first >> > suggested by AJ in the original block-relay-only PR[15]. >> >> If a node is willingly to opt-out from addr-relay from one of its inboun= d >> peers, how is it supposed to do ? Of course, you can drop such messages = on >> the floor, your peer is just going to waste bandwidth for nothing. IIRC >> from past irc p2p meetings, we're really unclear about what a >> good-propagation-and-privacy-preserving addr-relay strategy should look >> like. Note, that distrusting your inbound peers with your addr-relay mig= ht >> be a sane direction. Explicit addr-relay negotiation will offer more >> flexibility (and more hygienic code paths rather than triggering data >> structures initialization in few different locations). >> >> > - update the inbound eviction logic to protect more inbound peers whic= h >> > do not have transaction relay data structures. >> >> Given inbound connections might be attacker-controlled and tx-relay >> opt-out signaling is also attacker-controlled, wouldn't this give a bias >> toward an attacker in occupying our inbound slots ? Compared to honest >> inbound peers, which in average are going to be full-relay. >> >> Cheers, >> Antoine >> >> >> >> Le lun. 1 mars 2021 =C3=A0 16:07, John Newbery via bitcoin-dev < >> bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit : >> >>> Hi Suhas, >>> >>> Thank you for this proposal. I agree with your aims, but I think a new >>> P2P message isn't necessary to achieve them. >>> >>> # Motivation >>> >>> There are two distinct (but interacting) motivations: >>> >>> 1. Allow a node to accept more incoming connections which will only be >>> used for block propagation (no transaction relay or addr gossip), >>> while minimizing resource requirements. >>> >>> 2. Prevent `addr` gossip messages from being sent to peers which will >>> 'black hole' those addrs (i.e. not relay them further). >>> >>> These motivations interact because if we simply increase the number of >>> block-relay-only connections that nodes make without making any >>> allowance for the fact those connections won't gossip addr records, the= n >>> we'll increase the number of addr black holes and worsen addr gossip. >>> >>> # Using fRelay=3Dfalse to signal no transaction relay. >>> >>> `fRelay` is an optional field in the `version` message. There are three >>> BIPs concerned with `fRelay`: >>> >>> - BIP 37[1] introduced the `fRelay` field to indicate to the recipient >>> that they must not relay transactions over the connection until a >>> `filteradd` message has been received. >>> >>> - BIP 60[2] aimed to make the `fRelay` field mandatory. It is not clear >>> how widely this BIP has been adopted by implementations. >>> >>> - BIP 111[3] introduced a `NODE_BLOOM` service bit to indicate that >>> bloom filters are served by this node. According to this BIP, "If a >>> node does not support bloom filters but receives a "filterload", >>> "filteradd", or "filterclear" message from a peer the node should >>> disconnect that peer immediately." >>> >>> Within Bitcoin Core: >>> >>> - PR 1795[4] (merged in January 2013) added support for BIP 37 Bloom >>> filters. >>> >>> - Since PR 2763[5] (merged in June 2013), Bitcoin Core will _always_ >>> include the `fRelay` flag in `version` messages that it sends. Bitcoi= n >>> Core will tolerate the `fRelay` field being present or absent in any >>> `version` message that it receives[6]. >>> >>> - PR 6579[7] (merged in August 2015) implemented BIP 111. From that >>> point on, a Bitcoin Core node would disconnect peers that sent it >>> `filter*` messages if it hadn't enabled `NODE_BLOOM`, provided the >>> peer's version was >=3D 70011. In PR 7708[8] (merged in March 2016) t= his >>> was extended to disconnect any peer that sends a `filter*` message, >>> regardless of its version (in general, a 'polite disconnect' for any >>> peer that requests an unsupported service is probably the best >>> behaviour). In PR 16152[9] (merged in July 2019), serving Bloom >>> filters was disabled by default, due to potential denial-of-service >>> attacks being possible against nodes which serve bloom filters on >>> public connections. >>> >>> - PR 6993[10] (merged in November 2015) started reusing the `fRelay` >>> field for the new `-blocksonly` mode. If Bitcoin Core is started with >>> `-blocksonly` configured, then it includes `fRelay=3Dfalse` in all of >>> the `version` messages it sends. In PR 15759[11] (merged in Septembe= r >>> 2019), this usage of `fRelay` to permanently disable tx relay was >>> extended for use by the new block-relay only connection type. >>> >>> The net effect is that `fRelay` is already being used to indicate that >>> transactions should not be relayed over a connection. In the motivation >>> for your BIP, you write: >>> >>> > The low-bandwidth / minimal-resource nature of these connections is >>> > currently known only by the initiator of the connection; this is >>> > because the transaction relay field in the version message is not a >>> > permanent setting for the lifetime of the connection. Consequently, = a >>> > node receiving an inbound connection with transaction relay disabled >>> > cannot distinguish between a peer that will never enable transaction >>> > relay (as described in BIP 37) and one that will... >>> >>> However, as AJ points out in his response [12], the Bitcoin Core node >>> _does_ know whether transaction relay can be supported as soon as the >>> `version` message is received: >>> >>> > [...] you either set m_tx_relay->fRelayTxes to true via the VERSION >>> > message (either explicitly or by not setting fRelay), or you enable i= t >>> > later with FILTERLOAD or FILTERCLEAR, both of which will cause a >>> > disconnect if bloom filters aren't supported. Bloom filter support is >>> > (optionally?) indicated via a service bit (BIP 111), so you could >>> > assume you know whether they're supported as soon as you receive the >>> > VERSION line. >>> >>> i.e. if Bitcoin Core node is running under normal configuration with >>> bloom filters disabled for public connections (which is both the defaul= t >>> setting and highly recommended due to DoS concerns), then as soon as it >>> receives a `version` message with `fRelay=3Dfalse`, it can be sure that >>> there will never be any transaction relay with that peer. If the peer >>> later tries to enable transaction relay by sending a `filterload` >>> message, then the node will disconnect that peer immediately. >>> >>> In summary, we can continue using the `fRelay` field to indicate that >>> no transaction relay can happen for the entire lifetime of the >>> connection. Bitcoin Core can postpone allocating resources for >>> transaction relay data structures until after the version message has >>> been received to minimize resource usage for incoming block-relay-only >>> connections. A rough implementation is here[13]. Obviously, a node that >>> has been configured to serve bloom filters on public connections would >>> not be able to take advantage of this and accept additional incoming >>> block-relay-only peers, but I think that's fine - we already discourage >>> that configuration. >>> >>> I think a good counter-argument against simply using `fRelay` for this >>> purpose is that we shouldn't reuse a protocol feature designed for one >>> function to achieve a totally different aim. However, we know that node= s >>> on the network have been using `fRelay` to disable transaction relay >>> since Bitcoin Core version 0.12 (when `-blocksonly` was added), and tha= t >>> usage was expanded to _all_ nodes running Bitcoin Core version 0.19 or >>> later (when block-relay-only connections were introduced), so using >>> `fRelay` to disable transaction relay is now de facto part of the p2p >>> protocol. >>> >>> # Preventing addr black holes >>> >>> Addresses of potential peers are gossiped around the p2p network using >>> `addr` messages. When a Bitcoin Core node learns of a new `addr` record= , >>> it will relay that record to one or two of its peers, chosen at >>> random[14]. The idea is that eventually the `addr` record will reach >>> most of the nodes on the network. >>> >>> If there are too many nodes on the network that receive `addr` records >>> and do not relay those records on to their peers (termed _addr black >>> hole_ nodes), then propagation of those `addr` records suffers -- any >>> individual `addr` record is unlikely to reach a large proportion of >>> nodes on the network. >>> >>> Since a motivation for block-relay-only connections is to protect >>> against eclipse attacks and thwart network topology analysis, Bitcoin >>> Core will not relay `addr` records on those connections, and will ignor= e >>> any `addr` record received over those connections. Therefore, increasin= g >>> the number of block-relay-only connections without changing the `addr` >>> gossip logic is likely to increase the prevalence of addr black holes, >>> and negatively impact addr propagation. This is why BIP 338 includes: >>> >>> > It is RECOMMENDED that a node that has sent or received a disabletx >>> > message to/from a peer not send any of these messages to the peer: >>> > >>> > - addr/getaddr >>> > - addrv2 (BIP 155) >>> >>> I think a better approach would be for Bitcoin Core to only relay addr >>> records to an inbound peer if it has previously received an `addr` or >>> `addrv2` message from that peer, since that indicates definitively that >>> the peer actively gossips `addr` records. This approach was first >>> suggested by AJ in the original block-relay-only PR[15]. >>> >>> An advantage of this approach is that it will improve addr propagation >>> immediately and without any change to the P2P protocol, and will preven= t >>> sending `addr` records to all addr black holes (such as light clients), >>> not just incoming block-relay-only connections. >>> >>> # Conclusion >>> >>> We can increase the permitted number of inbound block-relay-only peers >>> while minimizing resource requirement _and_ improving addr record >>> propagation, without any changes to the p2p protocol required. >>> >>> I propose that for Bitcoin Core version 22.0: >>> >>> - only initialize the transaction relay data structures after the >>> `version` message is received, and only if fRelay=3Dtrue and >>> `NODE_BLOOM` is not offered on this connection. >>> - only initialize the addr data structures for inbound connections when >>> an `addr`, `addrv2` or `getaddr` message is received on the >>> connection, and only consider a connection for addr relay if its addr >>> data structures are initialized. >>> - update the inbound eviction logic to protect more inbound peers which >>> do not have transaction relay data structures. >>> >>> Then, in version 23.0: >>> >>> - modestly increase the number of outbound block-relay-only connections= . >>> >>> John >>> >>> [1] https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki >>> [2] https://github.com/bitcoin/bips/blob/master/bip-0060.mediawiki >>> [3] https://github.com/bitcoin/bips/blob/master/bip-0111.mediawiki >>> [4] https://github.com/bitcoin/bitcoin/pull/1795 >>> [5] https://github.com/bitcoin/bitcoin/pull/2763 >>> [6] >>> https://github.com/bitcoin/bitcoin/blob/e49117470b77fb7d53be122c6490ba1= 63c6e304d/src/net_processing.cpp#L2582-L2583 >>> [7] https://github.com/bitcoin/bitcoin/pull/6579 >>> [8] https://github.com/bitcoin/bitcoin/pull/7708 >>> [9] https://github.com/bitcoin/bitcoin/pull/16152 >>> [10] https://github.com/bitcoin/bitcoin/pull/6993 >>> [11] https://github.com/bitcoin/bitcoin/pull/15759 >>> [12] >>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/01= 8347.html >>> [13] https://github.com/jnewbery/bitcoin/tree/2021-02-lazy-init-peer >>> [14] >>> https://github.com/bitcoin/bitcoin/blob/e52ce9f2b312b3cf3b0837918e07d76= 03e241d63/src/net_processing.cpp#L1696-L1700 >>> [15] >>> https://github.com/bitcoin/bitcoin/pull/15759#issuecomment-527012757 >>> >>> > Hi, >>> > >>> > I'm proposing the addition of a new, optional p2p message to allow >>> peers to communicate that they do not want to send or receive (loose) >>> transactions for the lifetime of a connection. >>> > >>> > The goal of this message is to help facilitate connections on the >>> network over which only block-related data (blocks/headers/compact >>> blocks/etc) are relayed, to create low-resource connections that help >>> protect against partition attacks on the network. In particular, by ad= ding >>> a network message that communicates that transactions will not be relay= ed >>> for the life of the connection, we ease the implementation of software = that >>> could have increased inbound connection limits for such peers, which in >>> turn will make it easier to add additional persistent block-relay-only >>> connections on the network -- strengthening network security for little >>> additional bandwidth. >>> > >>> > Software has been deployed for over a year now which makes such >>> connections, using the BIP37/BIP60 "fRelay" field in the version messag= e to >>> signal that transactions should not be sent initially. However, BIP37 >>> allows for transaction relay to be enabled later in the connection's >>> lifetime, complicating software that would try to distinguish inbound p= eers >>> that will never relay transactions from those that might. >>> > >>> > This proposal would add a single new p2p message, "disabletx", which >>> (if used at all) must be sent between version and verack. I propose th= at >>> this message is valid for peers advertising protocol version 70017 or >>> higher. Software is free to implement this BIP or ignore this message = and >>> remain compatible with software that does implement it. >>> > >>> > Full text of the proposed BIP is below. >>> > >>> > Thanks, >>> > Suhas >>> > >>> > --------------------------------------------------- >>> > >>> > 
>>> >   BIP: XXX
>>> >   Layer: Peer Services
>>> >   Title: Disable transaction relay message
>>> >   Author: Suhas Daftuar 
>>> >   Comments-Summary: No comments yet.
>>> >   Comments-URI:
>>> >   Status: Draft
>>> >   Type: Standards Track
>>> >   Created: 2020-09-03
>>> >   License: BSD-2-Clause
>>> >
>>> > >>> > =3D=3DAbstract=3D=3D >>> > >>> > This BIP describes a change to the p2p protocol to allow a node to >>> tell a peer >>> > that a connection will not be used for transaction relay, to support >>> > block-relay-only connections that are currently in use on the network= . >>> > >>> > =3D=3DMotivation=3D=3D >>> > >>> > For nearly the past year, software has been deployed[1] which initiat= es >>> > connections on the Bitcoin network and sets the transaction relay fie= ld >>> > (introduced by BIP 37 and also defined in BIP 60) to false, to preven= t >>> > transaction relay from occurring on the connection. Additionally, add= r >>> messages >>> > received from the peer are ignored by this software. >>> > >>> > The purpose of these connections is two-fold: by making additional >>> > low-bandwidth connections on which blocks can propagate, the >>> robustness of a >>> > node to network partitioning attacks is strengthened. Additionally, >>> by not >>> > relaying transactions and ignoring received addresses, the ability of >>> an >>> > adversary to learn the complete network graph (or a subgraph) is >>> reduced[2], >>> > which in turn increases the cost or difficulty to an attacker seeking >>> to carry >>> > out a network partitioning attack (when compared with having such >>> knowledge). >>> > >>> > The low-bandwidth / minimal-resource nature of these connections is >>> currently >>> > known only by the initiator of the connection; this is because the >>> transaction >>> > relay field in the version message is not a permanent setting for the >>> lifetime >>> > of the connection. Consequently, a node receiving an inbound >>> connection with >>> > transaction relay disabled cannot distinguish between a peer that wil= l >>> never >>> > enable transaction relay (as described in BIP 37) and one that will. >>> Moreover, >>> > the node also cannot determine that the incoming connection will >>> ignore relayed >>> > addresses; with that knowledge a node would likely choose other peers >>> to >>> > receive announced addresses instead. >>> > >>> > This proposal adds a new, optional message that a node can send a pee= r >>> when >>> > initiating a connection to that peer, to indicate that connection >>> should not be >>> > used for transaction-relay for the connection's lifetime. In addition= , >>> without >>> > a current mechanism to negotiate whether addresses should be relayed >>> on a >>> > connection, this BIP suggests that address messages not be sent on >>> links where >>> > tx-relay has been disabled. >>> > >>> > =3D=3DSpecification=3D=3D >>> > >>> > # A new disabletx message is added, which is defined as an empty >>> message where pchCommand =3D=3D "disabletx". >>> > # The protocol version of nodes implementing this BIP must be set to >>> 70017 or higher. >>> > # If a node sets the transaction relay field in the version message t= o >>> a peer to false, then the disabletx message MAY also be sent in respons= e to >>> a version message from that peer if the peer's protocol version is >=3D >>> 70017. If sent, the disabletx message MUST be sent prior to sending a >>> verack. >>> > # A node that has sent or received a disabletx message to/from a peer >>> MUST NOT send any of these messages to the peer: >>> > ## inv messages for transactions >>> > ## getdata messages for transactions >>> > ## getdata messages for merkleblock (BIP 37) >>> > ## filteradd/filterload/filterclear (BIP 37) >>> > ## mempool (BIP 35) >>> > # It is RECOMMENDED that a node that has sent or received a disabletx >>> message to/from a peer not send any of these messages to the peer: >>> > ## addr/getaddr >>> > ## addrv2 (BIP 155) >>> > # The behavior regarding sending or processing other message types is >>> not specified by this BIP. >>> > # Nodes MAY decide to not remain connected to peers that send this >>> message (for example, if trying to find a peer that will relay >>> transactions). >>> > >>> > =3D=3DCompatibility=3D=3D >>> > >>> > Nodes with protocol version >=3D 70017 that do not implement this BIP= , >>> and nodes >>> > with protocol version < 70017, will continue to remain compatible wit= h >>> > implementing software: transactions would not be relayed to peers >>> sending the >>> > disabletx message (provided that BIP 37 or BIP 60 has been >>> implemented), and while >>> > periodic address relay may still take place, software implementing >>> this BIP >>> > should not be disconnecting such peers solely for that reason. >>> > >>> > Disabling address relay is suggested but not required by this BIP, to >>> allow for >>> > future protocol extensions that might specify more carefully how >>> address relay >>> > is to be negotiated. This BIP's recommendations for software to not >>> relay >>> > addresses is intended to be interpreted as guidance in the absence of >>> any such >>> > future protocol extension, to accommodate existing software behavior. >>> > >>> > Note that all messages specified in BIP 152, including blocktxn and >>> > getblocktxn, are permitted between peers that have sent/received a >>> disabletx >>> > message, subject to the feature negotiation of BIP 152. >>> > >>> > =3D=3DImplementation=3D=3D >>> > >>> > TBD >>> > >>> > =3D=3DReferences=3D=3D >>> > >>> > # Bitcoin Core has [https://github.com/bitcoin/bitcoin/pull/15759 >>> implemented this functionality] since version 0.19.0.1, released in >>> November 2019. >>> > # For example, see >>> https://www.cs.umd.edu/projects/coinscope/coinscope.pdf and >>> https://arxiv.org/pdf/1812.00942.pdf. >>> > >>> > =3D=3DCopyright=3D=3D >>> > >>> > This BIP is licensed under the 2-clause BSD license. >>> >>> On Wed, Jan 6, 2021 at 4:35 PM Suhas Daftuar via bitcoin-dev < >>> bitcoin-dev@lists.linuxfoundation.org> wrote: >>> >>>> Hi, >>>> >>>> I'm proposing the addition of a new, optional p2p message to allow >>>> peers to communicate that they do not want to send or receive (loose) >>>> transactions for the lifetime of a connection. >>>> >>>> The goal of this message is to help facilitate connections on the >>>> network over which only block-related data (blocks/headers/compact >>>> blocks/etc) are relayed, to create low-resource connections that help >>>> protect against partition attacks on the network. In particular, by a= dding >>>> a network message that communicates that transactions will not be rela= yed >>>> for the life of the connection, we ease the implementation of software= that >>>> could have increased inbound connection limits for such peers, which i= n >>>> turn will make it easier to add additional persistent block-relay-only >>>> connections on the network -- strengthening network security for littl= e >>>> additional bandwidth. >>>> >>>> Software has been deployed for over a year now which makes such >>>> connections, using the BIP37/BIP60 "fRelay" field in the version messa= ge to >>>> signal that transactions should not be sent initially. However, BIP37 >>>> allows for transaction relay to be enabled later in the connection's >>>> lifetime, complicating software that would try to distinguish inbound = peers >>>> that will never relay transactions from those that might. >>>> >>>> This proposal would add a single new p2p message, "disabletx", which >>>> (if used at all) must be sent between version and verack. I propose t= hat >>>> this message is valid for peers advertising protocol version 70017 or >>>> higher. Software is free to implement this BIP or ignore this message= and >>>> remain compatible with software that does implement it. >>>> >>>> Full text of the proposed BIP is below. >>>> >>>> Thanks, >>>> Suhas >>>> >>>> --------------------------------------------------- >>>> >>>> 
>>>>   BIP: XXX
>>>>   Layer: Peer Services
>>>>   Title: Disable transaction relay message
>>>>   Author: Suhas Daftuar 
>>>>   Comments-Summary: No comments yet.
>>>>   Comments-URI:
>>>>   Status: Draft
>>>>   Type: Standards Track
>>>>   Created: 2020-09-03
>>>>   License: BSD-2-Clause
>>>>
>>>> >>>> =3D=3DAbstract=3D=3D >>>> >>>> This BIP describes a change to the p2p protocol to allow a node to tel= l a peer >>>> that a connection will not be used for transaction relay, to support >>>> block-relay-only connections that are currently in use on the network. >>>> >>>> =3D=3DMotivation=3D=3D >>>> >>>> For nearly the past year, software has been deployed[1] which initiate= s >>>> connections on the Bitcoin network and sets the transaction relay fiel= d >>>> (introduced by BIP 37 and also defined in BIP 60) to false, to prevent >>>> transaction relay from occurring on the connection. Additionally, addr= messages >>>> received from the peer are ignored by this software. >>>> >>>> The purpose of these connections is two-fold: by making additional >>>> low-bandwidth connections on which blocks can propagate, the robustnes= s of a >>>> node to network partitioning attacks is strengthened. Additionally, b= y not >>>> relaying transactions and ignoring received addresses, the ability of = an >>>> adversary to learn the complete network graph (or a subgraph) is reduc= ed[2], >>>> which in turn increases the cost or difficulty to an attacker seeking = to carry >>>> out a network partitioning attack (when compared with having such know= ledge). >>>> >>>> The low-bandwidth / minimal-resource nature of these connections is cu= rrently >>>> known only by the initiator of the connection; this is because the tra= nsaction >>>> relay field in the version message is not a permanent setting for the = lifetime >>>> of the connection. Consequently, a node receiving an inbound connecti= on with >>>> transaction relay disabled cannot distinguish between a peer that will= never >>>> enable transaction relay (as described in BIP 37) and one that will. = Moreover, >>>> the node also cannot determine that the incoming connection will ignor= e relayed >>>> addresses; with that knowledge a node would likely choose other peers = to >>>> receive announced addresses instead. >>>> >>>> This proposal adds a new, optional message that a node can send a peer= when >>>> initiating a connection to that peer, to indicate that connection shou= ld not be >>>> used for transaction-relay for the connection's lifetime. In addition,= without >>>> a current mechanism to negotiate whether addresses should be relayed o= n a >>>> connection, this BIP suggests that address messages not be sent on lin= ks where >>>> tx-relay has been disabled. >>>> >>>> =3D=3DSpecification=3D=3D >>>> >>>> # A new disabletx message is added, which is defined as an empty messa= ge where pchCommand =3D=3D "disabletx". >>>> # The protocol version of nodes implementing this BIP must be set to 7= 0017 or higher. >>>> # If a node sets the transaction relay field in the version message to= a peer to false, then the disabletx message MAY also be sent in response t= o a version message from that peer if the peer's protocol version is >=3D 7= 0017. If sent, the disabletx message MUST be sent prior to sending a verack= . >>>> # A node that has sent or received a disabletx message to/from a peer = MUST NOT send any of these messages to the peer: >>>> ## inv messages for transactions >>>> ## getdata messages for transactions >>>> ## getdata messages for merkleblock (BIP 37) >>>> ## filteradd/filterload/filterclear (BIP 37) >>>> ## mempool (BIP 35) >>>> # It is RECOMMENDED that a node that has sent or received a disabletx = message to/from a peer not send any of these messages to the peer: >>>> ## addr/getaddr >>>> ## addrv2 (BIP 155) >>>> # The behavior regarding sending or processing other message types is = not specified by this BIP. >>>> # Nodes MAY decide to not remain connected to peers that send this mes= sage (for example, if trying to find a peer that will relay transactions). >>>> >>>> =3D=3DCompatibility=3D=3D >>>> >>>> Nodes with protocol version >=3D 70017 that do not implement this BIP,= and nodes >>>> with protocol version < 70017, will continue to remain compatible with >>>> implementing software: transactions would not be relayed to peers send= ing the >>>> disabletx message (provided that BIP 37 or BIP 60 has been implemented= ), and while >>>> periodic address relay may still take place, software implementing thi= s BIP >>>> should not be disconnecting such peers solely for that reason. >>>> >>>> Disabling address relay is suggested but not required by this BIP, to = allow for >>>> future protocol extensions that might specify more carefully how addre= ss relay >>>> is to be negotiated. This BIP's recommendations for software to not re= lay >>>> addresses is intended to be interpreted as guidance in the absence of = any such >>>> future protocol extension, to accommodate existing software behavior. >>>> >>>> Note that all messages specified in BIP 152, including blocktxn and >>>> getblocktxn, are permitted between peers that have sent/received a dis= abletx >>>> message, subject to the feature negotiation of BIP 152. >>>> >>>> =3D=3DImplementation=3D=3D >>>> >>>> TBD >>>> >>>> =3D=3DReferences=3D=3D >>>> >>>> # Bitcoin Core has [https://github.com/bitcoin/bitcoin/pull/15759 impl= emented this functionality] since version 0.19.0.1, released in November 20= 19. >>>> # For example, see https://www.cs.umd.edu/projects/coinscope/coinscope= .pdf and https://arxiv.org/pdf/1812.00942.pdf. >>>> >>>> =3D=3DCopyright=3D=3D >>>> >>>> This BIP is licensed under the 2-clause BSD license. >>>> >>>> _______________________________________________ >>>> bitcoin-dev mailing list >>>> bitcoin-dev@lists.linuxfoundation.org >>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>>> >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> >> _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000dcdff005bc9572c6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> I believe this is what BIP 60 does, or did you h= ave something else in
> mind?

Right, it achieves the first goa= l of dissociating `fRelay` from BIP37 but it doesn't document Core spec= ific behavior of disconnecting peers for raw TX messages reception
from = outbound block-relay-only peers, as implemented by PR 15759. I think BIP 60= is as much unclear as BIP37 "Whether the remote peer should announce = relayed transactions or not, see BIP 0037, since version >=3D 70001"= ;. A first interpretation could be that all tx-relay messages are disabled.= A second interpretation could be that only _tx-announcement_ messages (e.g= INV(TX)) are disabled.

It could be argued that #15759 introduced in= compatible changes between a Bitcon Core 0.19.0 node and a BIP37 compliant = peer on the p2p network. Post-15759, the message space allowed to a BIP37 p= eer has been reduced...Note that BIP60 isn't listed as implemented in b= itcoin/doc/bips.md.

I believe that BIP338 has the merit of making th= ose subjects clear and easy to follow by any Bitcoin software. Instead of s= pawning discussion around old, lightclient-related BIPs or Core undocumente= d disabling transaction relay mechanism being de facto part of the p2p prot= ocol.

> Sorry - I meant that Bitcoin Core should allow a certain = number of
> inbound peers that do not relay txs. This would be in add= ition to the
> full-relay inbound peers.

Yes, I agree on the p= urpose. But I don't think we need to "allow" further disabled= -tx peers by our inbound connection selection or eviction logics. Turning a= few bits in a protocol message sounds a too-cheap burden on potential atta= ckers contrary to most of our current eviction heuristics, forcing some wor= k ("announce transaction fast, "be located in some subnet", = "announce block fast"). Though better to discuss this later, not = the main point of your proposal.

Antoine

Le=C2=A0mar. 2 mar= s 2021 =C3=A0=C2=A007:22, John Newbery via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.= org> a =C3=A9crit=C2=A0:
Antoine,

Nothing i= n my proposal below precludes introducing a more comprehensive
feature n= egotiation mechanism at some later date. The only changes I'm
propos= ing are to Bitcoin Core's policy for how it treats its peer
connecti= ons.

> If we don't want to introduce a new message and
>= ; corresponding code changes, it would be wise at least to extract VERSION&= #39;s
> `fRelay` and how Core handles it in its own BIP.

I bel= ieve this is what BIP 60 does, or did you have something else in
mind?
> Explicit addr-relay negotiation will offer more
> flexibil= ity

I agree!

> (and more hygienic code paths rather than t= riggering data
> structures initialization in few different locations= ).

Not sure what you mean by hygienic here. This seems like a code s= tyle
preference.

> Given inbound connections might be attacker= -controlled and tx-relay opt-out
> signaling is also attacker-control= led, wouldn't this give a bias toward an
> attacker in occupying = our inbound slots ? Compared to honest inbound peers,
> which in aver= age are going to be full-relay.

Sorry - I meant that Bitcoin Core sh= ould allow a certain number of
inbound peers that do not relay txs. This= would be in addition to the
full-relay inbound peers.

John

On= Mon, Mar 1, 2021 at 11:11 PM Antoine Riard <antoine.riard@gmail.com> wrote:
<= div>
Hi John,

> I think a good counter-argument ag= ainst simply using `fRelay` for this
> purpose is that we shouldn'= ;t reuse a protocol feature designed for one
> function to achieve a = totally different aim. However, we know that nodes
> on the network h= ave been using `fRelay` to disable transaction relay
> since Bitcoin = Core version 0.12 (when `-blocksonly` was added), and that
> usage wa= s expanded to _all_ nodes running Bitcoin Core version 0.19 or
> late= r (when block-relay-only connections were introduced), so using
> `fR= elay` to disable transaction relay is now de facto part of the p2p
> = protocol.


I don't think this is good practice ecosystem-wise= . To understand tx-relay opt-out from peers correctly, a _non_ Bitcoin Core= client has to implement the `fRelay` subset of BIP37, but ignore the wider= part around FILTER* messages. Or implement those messages, only to disconn= ect peers sending them, thus following BIP111 requirements.

Thus, fu= ture developers of bitcoin software have the choice between implementing a = standard in a non-compliant way or implementing p2p messages for a light cl= ient protocol in a way of deprecation ? Even further, an interpretation of = BIP 37 ("Being able to opt-out of _inv_ messages until the filter is s= et prevents a client being flooded with traffic in the brief window of time= ") would make it okay to send TX messages to your inbound block-relay-= only peers. And that your client shouldn't be disconnected for such beh= avior.

On the long-term, IMHO, better to have a well-defined standar= d with a clean negotiation mechanism rather than relying on code specifics = of a given Bitcoin client. If we don't want to introduce a new message = and corresponding code changes, it would be wise at least to extract VERSIO= N's `fRelay` and how Core handles it in its own BIP.

> I thin= k a better approach would be for Bitcoin Core to only relay addr
> re= cords to an inbound peer if it has previously received an `addr` or
>= `addrv2` message from that peer, since that indicates definitively that> the peer actively gossips `addr` records. This approach was first
= > suggested by AJ in the original block-relay-only PR[15].

=
If a node is willingly to opt-out from addr-relay from one of its inbo= und peers, how is it supposed to do ? Of course, you can drop such messages= on the floor, your peer is just going to waste bandwidth for nothing. IIRC= from past irc p2p meetings, we're really unclear about what a good-pro= pagation-and-privacy-preserving addr-relay strategy should look like. Note,= that distrusting your inbound peers with your addr-relay might be a sane d= irection. Explicit addr-relay negotiation will offer more flexibility (and = more hygienic code paths rather than triggering data structures initializat= ion in few different locations).

> - update the inboun= d eviction logic to protect more inbound peers which
> do not have tr= ansaction relay data structures.

Given inbound connection= s might be attacker-controlled and tx-relay opt-out signaling is also attac= ker-controlled, wouldn't this give a bias toward an attacker in occupyi= ng our inbound slots ? Compared to honest inbound peers, which in average a= re going to be full-relay.

Cheers,
Antoine=



Le=C2=A0lun. 1 mars 2021 =C3=A0=C2=A016:0= 7, John Newbery via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit=C2=A0:
Hi Suhas,

Thank you for this proposal. I= agree with your aims, but I think a new
P2P message isn't necessary= to achieve them.

# Motivation

There are two distinct (but in= teracting) motivations:

1. Allow a node to accept more incoming conn= ections which will only be
=C2=A0 =C2=A0used for block propagation (no t= ransaction relay or addr gossip),
=C2=A0 =C2=A0while minimizing resource= requirements.

2. Prevent `addr` gossip messages from being sent to = peers which will
=C2=A0 =C2=A0'black hole' those addrs (i.e. not= relay them further).

These motivations interact because if we simpl= y increase the number of
block-relay-only connections that nodes make wi= thout making any
allowance for the fact those connections won't goss= ip addr records, then
we'll increase the number of addr black holes = and worsen addr gossip.

# Using fRelay=3Dfalse to signal no transact= ion relay.

`fRelay` is an optional field in the `version` message. T= here are three
BIPs concerned with `fRelay`:

- BIP 37[1] introduc= ed the `fRelay` field to indicate to the recipient
=C2=A0 that they must= not relay transactions over the connection until a
=C2=A0 `filteradd` m= essage has been received.

- BIP 60[2] aimed to make the `fRelay` fie= ld mandatory. It is not clear
=C2=A0 how widely this BIP has been adopte= d by implementations.

- BIP 111[3] introduced a `NODE_BLOOM` service= bit to indicate that
=C2=A0 bloom filters are served by this node. Acco= rding to this BIP, "If a
=C2=A0 node does not support bloom filters= but receives a "filterload",
=C2=A0 "filteradd", or= "filterclear" message from a peer the node should
=C2=A0 disc= onnect that peer immediately."

Within Bitcoin Core:

- PR= 1795[4] (merged in January 2013) added support for BIP 37 Bloom
=C2=A0 = filters.

- Since PR 2763[5] (merged in June 2013), Bitcoin Core will= _always_
=C2=A0 include the `fRelay` flag in `version` messages that it= sends. Bitcoin
=C2=A0 Core will tolerate the `fRelay` field being prese= nt or absent in any
=C2=A0 `version` message that it receives[6].
- PR 6579[7] (merged in August 2015) implemented BIP 111. From that
=C2= =A0 point on, a Bitcoin Core node would disconnect peers that sent it
= =C2=A0 `filter*` messages if it hadn't enabled `NODE_BLOOM`, provided t= he
=C2=A0 peer's version was >=3D 70011. In PR 7708[8] (merged in= March 2016) this
=C2=A0 was extended to disconnect any peer that sends = a `filter*` message,
=C2=A0 regardless of its version (in general, a = 9;polite disconnect' for any
=C2=A0 peer that requests an unsupporte= d service is probably the best
=C2=A0 behaviour). In PR 16152[9] (merged= in July 2019), serving Bloom
=C2=A0 filters was disabled by default, du= e to potential denial-of-service
=C2=A0 attacks being possible against n= odes which serve bloom filters on
=C2=A0 public connections.

- PR= 6993[10] (merged in November 2015) started reusing the `fRelay`
=C2=A0 = field for the new `-blocksonly` mode. If Bitcoin Core is started with
= =C2=A0 `-blocksonly` configured, then it includes `fRelay=3Dfalse` in all o= f
=C2=A0 the `version` messages it sends. In PR 15759[11] (merged =C2=A0= in September
=C2=A0 2019), this usage of `fRelay` to permanently disable= tx relay was
=C2=A0 extended for use by the new block-relay only connec= tion type.

The net effect is that `fRelay` is already being used to = indicate that
transactions should not be relayed over a connection. In t= he motivation
for your BIP, you write:

> The low-bandwidth / m= inimal-resource nature of these connections is
> currently known only= by the initiator of the connection; this is
> because the transactio= n relay field in the version message is not a
> permanent setting for= the lifetime of the connection.=C2=A0 Consequently, a
> node receivi= ng an inbound connection with transaction relay disabled
> cannot dis= tinguish between a peer that will never enable transaction
> relay (a= s described in BIP 37) and one that will...

However, as AJ points ou= t in his response [12], the Bitcoin Core node
_does_ know whether transa= ction relay can be supported as soon as the
`version` message is receive= d:

> [...] you either set m_tx_relay->fRelayTxes to true via t= he VERSION
> message (either explicitly or by not setting fRelay), or= you enable it
> later with FILTERLOAD or FILTERCLEAR, both of which = will cause a
> disconnect if bloom filters aren't supported. Bloo= m filter support is
> (optionally?) indicated via a service bit (BIP = 111), so you could
> assume you know whether they're supported as= soon as you receive the
> VERSION line.

i.e. if Bitcoin Core = node is running under normal configuration with
bloom filters disabled f= or public connections (which is both the default
setting and highly reco= mmended due to DoS concerns), then as soon as it
receives a `version` me= ssage with `fRelay=3Dfalse`, it can be sure that
there will never be any= transaction relay with that peer. If the peer
later tries to enable tra= nsaction relay by sending a `filterload`
message, then the node will dis= connect that peer immediately.

In summary, we can continue using the= `fRelay` field to indicate that
no transaction relay can happen for the= entire lifetime of the
connection.=C2=A0 Bitcoin Core can postpone allo= cating resources for
transaction relay data structures until after the v= ersion message has
been received to minimize resource usage for incoming= block-relay-only
connections. A rough implementation is here[13]. Obvio= usly, a node that
has been configured to serve bloom filters on public c= onnections would
not be able to take advantage of this and accept additi= onal incoming
block-relay-only peers, but I think that's fine - we a= lready discourage
that configuration.

I think a good counter-argu= ment against simply using `fRelay` for this
purpose is that we shouldn&#= 39;t reuse a protocol feature designed for one
function to achieve a tot= ally different aim. However, we know that nodes
on the network have been= using `fRelay` to disable transaction relay
since Bitcoin Core version = 0.12 (when `-blocksonly` was added), and that
usage was expanded to _all= _ nodes running Bitcoin Core version 0.19 or
later (when block-relay-onl= y connections were introduced), so using
`fRelay` to disable transaction= relay is now de facto part of the p2p
protocol.

# Preventing add= r black holes

Addresses of potential peers are gossiped around the p= 2p network using
`addr` messages. When a Bitcoin Core node learns of a n= ew `addr` record,
it will relay that record to one or two of its peers, = chosen at
random[14]. The idea is that eventually the `addr` record will= reach
most of the nodes on the network.

If there are too many no= des on the network that receive `addr` records
and do not relay those re= cords on to their peers (termed _addr black
hole_ nodes), then propagati= on of those `addr` records suffers -- any
individual `addr` record is un= likely to reach a large proportion of
nodes on the network.

Since= a motivation for block-relay-only connections is to protect
against ecl= ipse attacks and thwart network topology analysis, Bitcoin
Core will not= relay `addr` records on those connections, and will ignore
any `addr` r= ecord received over those connections. Therefore, increasing
the number = of block-relay-only connections without changing the `addr`
gossip logic= is likely to increase the prevalence of addr black holes,
and negativel= y impact addr propagation. This is why BIP 338 includes:

> It is = RECOMMENDED that a node that has sent or received a disabletx
> messa= ge to/from a peer not send any of these messages to the peer:
>
&= gt; - addr/getaddr
> - addrv2 (BIP 155)

I think a better appro= ach would be for Bitcoin Core to only relay addr
records to an inbound p= eer if it has previously received an `addr` or
`addrv2` message from tha= t peer, since that indicates definitively that
the peer actively gossips= `addr` records. This approach was first
suggested by AJ in the original= block-relay-only PR[15].

An advantage of this approach is that it w= ill improve addr propagation
immediately and without any change to the P= 2P protocol, and will prevent
sending `addr` records to all addr black h= oles (such as light clients),
not just incoming block-relay-only connect= ions.

# Conclusion

We can increase the permitted number of in= bound block-relay-only peers
while minimizing resource requirement _and_= improving addr record
propagation, without any changes to the p2p proto= col required.

I propose that for Bitcoin Core version 22.0:

-= only initialize the transaction relay data structures after the
=C2=A0 = `version` message is received, and only if fRelay=3Dtrue and
=C2=A0 `NOD= E_BLOOM` is not offered on this connection.
- only initialize the addr d= ata structures for inbound connections when
=C2=A0 an `addr`, `addrv2` o= r `getaddr` message is received on the
=C2=A0 connection, and only consi= der a connection for addr relay if its addr
=C2=A0 data structures are i= nitialized.
- update the inbound eviction logic to protect more inbound = peers which
=C2=A0 do not have transaction relay data structures.
Then, in version 23.0:

- modestly increase the number of outbound b= lock-relay-only connections.

John

[1] https= ://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki
[2] https://github.com/bitcoin/bips/blob/master/bip-0060.mediawiki<= /a>
[3] https://github.com/bitcoin/bips/blob/master/bi= p-0111.mediawiki
[4] https://github.com/bitcoin/bitcoin/pull/1795
[5] https://github.com/bitcoin/bitcoin/pull/2763
[6] https://github= .com/bitcoin/bitcoin/blob/e49117470b77fb7d53be122c6490ba163c6e304d/src/net_= processing.cpp#L2582-L2583
[7] https://github.com/bitcoin/bitcoin/pu= ll/6579
[8] https://github.com/bitcoin/bitcoin/pull/7708
[9] = https://github.com/bitcoin/bitcoin/pull/16152
[10] https://github.c= om/bitcoin/bitcoin/pull/6993
[11] https://github.com/bitcoin/bitcoi= n/pull/15759
[12] https://lists.= linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018347.html
[= 13] https://github.com/jnewbery/bitcoin/tree/2021-02-laz= y-init-peer
[14] https://github.com/bitcoin/bitcoin/blob/e52ce9f2b312b3c= f3b0837918e07d7603e241d63/src/net_processing.cpp#L1696-L1700
[15] https://github.com/bitcoin/bitcoin/pull/15759#issueco= mment-527012757

> Hi,
>
> I'm proposing the = addition of a new, optional p2p message to allow peers to communicate that = they do not want to send or receive (loose) transactions for the lifetime o= f a connection.
>
> The goal of this message is to help facil= itate connections on the network over which only block-related data (blocks= /headers/compact blocks/etc) are relayed, to create low-resource connection= s that help protect against partition attacks on the network.=C2=A0 In part= icular, by adding a network message that communicates that transactions wil= l not be relayed for the life of the connection, we ease the implementation= of software that could have increased inbound connection limits for such p= eers, which in turn will make it easier to add additional persistent block-= relay-only connections on the network -- strengthening network security for= little additional bandwidth.
>
> Software has been deployed f= or over a year now which makes such connections, using the BIP37/BIP60 &quo= t;fRelay" field in the version message to signal that transactions sho= uld not be sent initially.=C2=A0 However, BIP37 allows for transaction rela= y to be enabled later in the connection's lifetime, complicating softwa= re that would try to distinguish inbound peers that will never relay transa= ctions from those that might.
>
> This proposal would add a si= ngle new p2p message, "disabletx", which (if used at all) must be= sent between version and verack.=C2=A0 I propose that this message is vali= d for peers advertising protocol version 70017 or higher.=C2=A0 Software is= free to implement this BIP or ignore this message and remain compatible wi= th software that does implement it.
>
> Full text of the propo= sed BIP is below.
>
> Thanks,
> Suhas
>
> -= --------------------------------------------------
>
> <pre= >
> =C2=A0 BIP: XXX
> =C2=A0 Layer: Peer Services
> = =C2=A0 Title: Disable transaction relay message
> =C2=A0 Author: Suha= s Daftuar <s= daftuar@chaincode.com>
> =C2=A0 Comments-Summary: No comments = yet.
> =C2=A0 Comments-URI:
> =C2=A0 Status: Draft
> =C2= =A0 Type: Standards Track
> =C2=A0 Created: 2020-09-03
> =C2=A0= License: BSD-2-Clause
> </pre>
>
> =3D=3DAbstract= =3D=3D
>
> This BIP describes a change to the p2p protocol to = allow a node to tell a peer
> that a connection will not be used for = transaction relay, to support
> block-relay-only connections that are= currently in use on the network.
>
> =3D=3DMotivation=3D=3D>
> For nearly the past year, software has been deployed[1] whi= ch initiates
> connections on the Bitcoin network and sets the transa= ction relay field
> (introduced by BIP 37 and also defined in BIP 60)= to false, to prevent
> transaction relay from occurring on the conne= ction. Additionally, addr messages
> received from the peer are ignor= ed by this software.
>
> The purpose of these connections is t= wo-fold: by making additional
> low-bandwidth connections on which bl= ocks can propagate, the robustness of a
> node to network partitionin= g attacks is strengthened.=C2=A0 Additionally, by not
> relaying tran= sactions and ignoring received addresses, the ability of an
> adversa= ry to learn the complete network graph (or a subgraph) is reduced[2],
&g= t; which in turn increases the cost or difficulty to an attacker seeking to= carry
> out a network partitioning attack (when compared with having= such knowledge).
>
> The low-bandwidth / minimal-resource nat= ure of these connections is currently
> known only by the initiator o= f the connection; this is because the transaction
> relay field in th= e version message is not a permanent setting for the lifetime
> of th= e connection.=C2=A0 Consequently, a node receiving an inbound connection wi= th
> transaction relay disabled cannot distinguish between a peer tha= t will never
> enable transaction relay (as described in BIP 37) and = one that will.=C2=A0 Moreover,
> the node also cannot determine that = the incoming connection will ignore relayed
> addresses; with that kn= owledge a node would likely choose other peers to
> receive announced= addresses instead.
>
> This proposal adds a new, optional mes= sage that a node can send a peer when
> initiating a connection to th= at peer, to indicate that connection should not be
> used for transac= tion-relay for the connection's lifetime. In addition, without
> = a current mechanism to negotiate whether addresses should be relayed on a> connection, this BIP suggests that address messages not be sent on l= inks where
> tx-relay has been disabled.
>
> =3D=3DSpeci= fication=3D=3D
>
> # A new disabletx message is added, which i= s defined as an empty message where pchCommand =3D=3D "disabletx"= .
> # The protocol version of nodes implementing this BIP must be set= to 70017 or higher.
> # If a node sets the transaction relay field i= n the version message to a peer to false, then the disabletx message MAY al= so be sent in response to a version message from that peer if the peer'= s protocol version is >=3D 70017. If sent, the disabletx message MUST be= sent prior to sending a verack.
> # A node that has sent or received= a disabletx message to/from a peer MUST NOT send any of these messages to = the peer:
> ## inv messages for transactions
> ## getdata messa= ges for transactions
> ## getdata messages for merkleblock (BIP 37)> ## filteradd/filterload/filterclear (BIP 37)
> ## mempool (BIP= 35)
> # It is RECOMMENDED that a node that has sent or received a di= sabletx message to/from a peer not send any of these messages to the peer:<= br>> ## addr/getaddr
> ## addrv2 (BIP 155)
> # The behavior = regarding sending or processing other message types is not specified by thi= s BIP.
> # Nodes MAY decide to not remain connected to peers that sen= d this message (for example, if trying to find a peer that will relay trans= actions).
>
> =3D=3DCompatibility=3D=3D
>
> Nodes= with protocol version >=3D 70017 that do not implement this BIP, and no= des
> with protocol version < 70017, will continue to remain compa= tible with
> implementing software: transactions would not be relayed= to peers sending the
> disabletx message (provided that BIP 37 or BI= P 60 has been implemented), and while
> periodic address relay may st= ill take place, software implementing this BIP
> should not be discon= necting such peers solely for that reason.
>
> Disabling addre= ss relay is suggested but not required by this BIP, to allow for
> fu= ture protocol extensions that might specify more carefully how address rela= y
> is to be negotiated. This BIP's recommendations for software = to not relay
> addresses is intended to be interpreted as guidance in= the absence of any such
> future protocol extension, to accommodate = existing software behavior.
>
> Note that all messages specifi= ed in BIP 152, including blocktxn and
> getblocktxn, are permitted be= tween peers that have sent/received a disabletx
> message, subject to= the feature negotiation of BIP 152.
>
> =3D=3DImplementation= =3D=3D
>
> TBD
>
> =3D=3DReferences=3D=3D
>=
> # Bitcoin Core has [https://github.com/bitcoin/bitcoin/pull/1575= 9 implemented this functionality] since version 0.19.0.1, released in N= ovember 2019.
> # For example, see https://www.cs.umd.edu/= projects/coinscope/coinscope.pdf and https://arxiv.org/pdf/1812.00942.pdf.<= br>>
> =3D=3DCopyright=3D=3D
>
> This BIP is license= d under the 2-clause BSD license.

<= div dir=3D"ltr" class=3D"gmail_attr">On Wed, Jan 6, 2021 at 4:35 PM Suhas D= aftuar via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wr= ote:
Hi,

I'm proposing the addition of a new, optio= nal p2p message to allow peers to communicate that they do not want to send= or receive (loose) transactions for the lifetime of a connection.=C2=A0

The goal of this message is to help facilitate=C2=A0= connections on the network over which only block-related data (blocks/heade= rs/compact blocks/etc) are relayed, to create low-resource connections that= help protect against partition attacks on the network.=C2=A0 In particular= , by adding a network message that communicates that transactions will not = be relayed for the life of the connection, we ease the implementation of so= ftware that could have increased inbound connection limits for such peers, = which in turn will make it easier to add additional persistent block-relay-= only connections on the network -- strengthening network security for littl= e additional bandwidth.

Software has been deployed= for over a year now which makes such connections, using the BIP37/BIP60 &q= uot;fRelay" field in the version message to signal that transactions s= hould not be sent initially.=C2=A0 However, BIP37 allows for transaction re= lay to be enabled=C2=A0later in the connection's lifetime, complicating= software that would try to distinguish inbound peers that will never relay= transactions from those that might.

This proposal= would add a single new p2p message, "disabletx", which (if used = at all) must be sent between version and verack.=C2=A0 I propose that this = message is valid for peers advertising protocol version 70017 or higher.=C2= =A0 Software=C2=A0is free to implement this BIP or ignore this message and = remain compatible with software that does implement it.

Full text of the proposed BIP is below.

Than= ks,
Suhas

----------------------= -----------------------------

<pre>
  BIP: XXX
  Layer: Peer Services
  Title: Disable transaction relay message
  Author: Suhas Daftuar <sdaftuar@chaincode.com>
  Comments-Summary: No comments yet.
  Comments-URI:
  Status: Draft
  Type: Standards Track
  Created: 2020-09-03
  License: BSD-2-Clause
</pre>

=3D=3DAbstract=3D=3D

This BIP describes a change to the p2p protocol to allow a node to tell a p=
eer
that a connection will not be used for transaction relay, to support
block-relay-only connections that are currently in use on the network.

=3D=3DMotivation=3D=3D

For nearly the past year, software has been deployed[1] which initiates
connections on the Bitcoin network and sets the transaction relay field
(introduced by BIP 37 and also defined in BIP 60) to false, to prevent
transaction relay from occurring on the connection. Additionally, addr mess=
ages
received from the peer are ignored by this software.

The purpose of these connections is two-fold: by making additional
low-bandwidth connections on which blocks can propagate, the robustness of =
a
node to network partitioning attacks is strengthened.  Additionally, by not
relaying transactions and ignoring received addresses, the ability of an
adversary to learn the complete network graph (or a subgraph) is reduced[2]=
,
which in turn increases the cost or difficulty to an attacker seeking to ca=
rry
out a network partitioning attack (when compared with having such knowledge=
).

The low-bandwidth / minimal-resource nature of these connections is current=
ly
known only by the initiator of the connection; this is because the transact=
ion
relay field in the version message is not a permanent setting for the lifet=
ime
of the connection.  Consequently, a node receiving an inbound connection wi=
th
transaction relay disabled cannot distinguish between a peer that will neve=
r
enable transaction relay (as described in BIP 37) and one that will.  Moreo=
ver,
the node also cannot determine that the incoming connection will ignore rel=
ayed
addresses; with that knowledge a node would likely choose other peers to
receive announced addresses instead.

This proposal adds a new, optional message that a node can send a peer when
initiating a connection to that peer, to indicate that connection should no=
t be
used for transaction-relay for the connection's lifetime. In addition, =
without
a current mechanism to negotiate whether addresses should be relayed on a
connection, this BIP suggests that address messages not be sent on links wh=
ere
tx-relay has been disabled.

=3D=3DSpecification=3D=3D

# A new disabletx message is added, which is defined as an empty message wh=
ere pchCommand =3D=3D "disabletx".
# The protocol version of nodes implementing this BIP must be set to 70017 =
or higher.
# If a node sets the transaction relay field in the version message to a pe=
er to false, then the disabletx message MAY also be sent in response to a v=
ersion message from that peer if the peer's protocol version is >=3D=
 70017. If sent, the disabletx message MUST be sent prior to sending a vera=
ck.
# A node that has sent or received a disabletx message to/from a peer MUST =
NOT send any of these messages to the peer:
## inv messages for transactions
## getdata messages for transactions
## getdata messages for merkleblock (BIP 37)
## filteradd/filterload/filterclear (BIP 37)
## mempool (BIP 35)
# It is RECOMMENDED that a node that has sent or received a disabletx messa=
ge to/from a peer not send any of these messages to the peer:
## addr/getaddr
## addrv2 (BIP 155)
# The behavior regarding sending or processing other message types is not s=
pecified by this BIP.
# Nodes MAY decide to not remain connected to peers that send this message =
(for example, if trying to find a peer that will relay transactions).

=3D=3DCompatibility=3D=3D

Nodes with protocol version >=3D 70017 that do not implement this BIP, a=
nd nodes
with protocol version < 70017, will continue to remain compatible with
implementing software: transactions would not be relayed to peers sending t=
he
disabletx message (provided that BIP 37 or BIP 60 has been implemented), an=
d while
periodic address relay may still take place, software implementing this BIP
should not be disconnecting such peers solely for that reason.

Disabling address relay is suggested but not required by this BIP, to allow=
 for
future protocol extensions that might specify more carefully how address re=
lay
is to be negotiated. This BIP's recommendations for software to not rel=
ay
addresses is intended to be interpreted as guidance in the absence of any s=
uch
future protocol extension, to accommodate existing software behavior.

Note that all messages specified in BIP 152, including blocktxn and
getblocktxn, are permitted between peers that have sent/received a disablet=
x
message, subject to the feature negotiation of BIP 152.

=3D=3DImplementation=3D=3D

TBD

=3D=3DReferences=3D=3D

# Bitcoin Core has [https://github.com/bitcoin/bitcoin/pull/15759 impl=
emented this functionality] since version 0.19.0.1, released in November 20=
19.
# For example, see https://www.cs.umd.edu/projects/coinscope/coi=
nscope.pdf and https://arxiv.org/pdf/1812.00942.pdf.

=3D=3DCopyright=3D=3D

This BIP is licensed under the 2-clause BSD license.
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000dcdff005bc9572c6--